How can an attacker trigger the malicious DLL without directly running netsh?

Since some VPN software and system processes call netsh during startup, the attacker's DLL will be loaded automatically when those programs invoke netsh. Alternatively, the attacker can add netsh to startup items—only `netsh.exe` appears in the list, making it deceptive. This strategy is akin to using Use Logon Scripts to maintain persistence where legitimate scripts are abused.